From 3f5bf9828b052e3f58b0115270e9b641e0864a72 Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Thu, 24 Oct 2024 10:28:14 +0100
Subject: [PATCH 1/3] tests: k8s: Update bats

We've seen some issues with tests not being run in
some of the Coco CI jobs (Issue #10451) and in the
envrionments that are more stable we noticed that
they had a newer version of bats installed.

Try updating the version to 1.10+ and print out
the version for debug purposes

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 tests/gha-run-k8s-common.sh                          | 9 +++------
 tests/integration/kubernetes/run_kubernetes_tests.sh | 2 ++
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/tests/gha-run-k8s-common.sh b/tests/gha-run-k8s-common.sh
index 7c35b797e0..0d98b9e5a2 100644
--- a/tests/gha-run-k8s-common.sh
+++ b/tests/gha-run-k8s-common.sh
@@ -101,14 +101,11 @@ function create_cluster() {
 }
 
 function install_bats() {
-	# Installing bats from the lunar repo.
-	# This installs newer version of the bats which supports setup_file and teardown_file functions.
-	# These functions are helpful when adding new tests that require one time setup.
-
+	# Installing bats from the noble repo.
 	sudo apt install -y software-properties-common
-	sudo add-apt-repository 'deb http://archive.ubuntu.com/ubuntu/ lunar universe'
+	sudo add-apt-repository 'deb http://archive.ubuntu.com/ubuntu/ noble universe'
 	sudo apt install -y bats
-	sudo add-apt-repository --remove 'deb http://archive.ubuntu.com/ubuntu/ lunar universe'
+	sudo add-apt-repository --remove 'deb http://archive.ubuntu.com/ubuntu/ noble universe'
 }
 
 function install_kubectl() {
diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh
index 7d4051d4c5..24d701e4e1 100755
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -129,6 +129,8 @@ fi
 
 ensure_yq
 
+info "Running tests with bats version: $(bats --version)"
+
 tests_fail=()
 for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]}
 do

From 75cb1f46b843fc72565f03572578d16b0319e640 Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Tue, 29 Oct 2024 21:30:47 +0000
Subject: [PATCH 2/3] tests/k8s: Add skip is setup_common fails

At @danmihai1's suggestion add a die message in case
the call to setup_common fails, so we can see if in the test
output.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 .../kubernetes/k8s-guest-pull-image-authenticated.bats          | 2 +-
 .../integration/kubernetes/k8s-guest-pull-image-encrypted.bats  | 2 +-
 .../integration/kubernetes/k8s-guest-pull-image-signature.bats  | 2 +-
 tests/integration/kubernetes/k8s-guest-pull-image.bats          | 2 +-
 tests/integration/kubernetes/k8s-liveness-probes.bats           | 2 +-
 tests/integration/kubernetes/k8s-measured-rootfs.bats           | 2 +-
 tests/integration/kubernetes/k8s-sealed-secret.bats             | 2 +-
 7 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
index c26bac30c7..1ab7aff6f4 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats
@@ -16,7 +16,7 @@ setup() {
 
     [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"
 
-    setup_common
+    setup_common || die "setup_common failed"
     AUTHENTICATED_IMAGE="${AUTHENTICATED_IMAGE:-quay.io/kata-containers/confidential-containers-auth:test}"
     AUTHENTICATED_IMAGE_USER=${AUTHENTICATED_IMAGE_USER:-}
     AUTHENTICATED_IMAGE_PASSWORD=${AUTHENTICATED_IMAGE_PASSWORD:-}
diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
index 7b12eada91..d64723057a 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-encrypted.bats
@@ -20,7 +20,7 @@ setup() {
 
     [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"
 
-    setup_common
+    setup_common || die "setup_common failed"
     ENCRYPTED_IMAGE="${ENCRYPTED_IMAGE:-ghcr.io/confidential-containers/test-container:multi-arch-encrypted}"
     DECRYPTION_KEY="${DECRYPTION_KEY:-HUlOu8NWz8si11OZUzUJMnjiq/iZyHBJZMSD3BaqgMc=}"
     DECRYPTION_KEY_ID="${DECRYPTION_KEY_ID:-ssh-demo}"
diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
index 542ca6394e..4a9f17e457 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats
@@ -22,7 +22,7 @@ setup() {
         tag_suffix="-$(uname -m)"
     fi
 
-    setup_common
+    setup_common || die "setup_common failed"
     UNSIGNED_UNPROTECTED_REGISTRY_IMAGE="quay.io/prometheus/busybox:latest"
     UNSIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:unsigned${tag_suffix}"
     COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:cosign-signed${tag_suffix}"
diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats
index cb91158566..503bf70d26 100644
--- a/tests/integration/kubernetes/k8s-guest-pull-image.bats
+++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats
@@ -15,7 +15,7 @@ setup() {
 
     [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one"
 
-    setup_common
+    setup_common || die "setup_common failed"
     get_pod_config_dir
     unencrypted_image="quay.io/prometheus/busybox:latest"
     image_pulled_time_less_than_default_time="ghcr.io/confidential-containers/test-container:rust-1.79.0" # unpacked size: 1.41GB
diff --git a/tests/integration/kubernetes/k8s-liveness-probes.bats b/tests/integration/kubernetes/k8s-liveness-probes.bats
index d5500e7fe4..a4011a6c71 100644
--- a/tests/integration/kubernetes/k8s-liveness-probes.bats
+++ b/tests/integration/kubernetes/k8s-liveness-probes.bats
@@ -14,7 +14,7 @@ setup() {
 	agnhost_name="${container_images_agnhost_name}"
 	agnhost_version="${container_images_agnhost_version}"
 
-	setup_common
+	setup_common || die "setup_common failed"
 	get_pod_config_dir
 }
 
diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats
index f442496f8c..afa31ae6b8 100644
--- a/tests/integration/kubernetes/k8s-measured-rootfs.bats
+++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats
@@ -22,7 +22,7 @@ check_and_skip() {
 
 setup() {
 	check_and_skip
-	setup_common
+	setup_common || die "setup_common failed"
 }
 
 @test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
diff --git a/tests/integration/kubernetes/k8s-sealed-secret.bats b/tests/integration/kubernetes/k8s-sealed-secret.bats
index 3029545ed2..4b520677ff 100644
--- a/tests/integration/kubernetes/k8s-sealed-secret.bats
+++ b/tests/integration/kubernetes/k8s-sealed-secret.bats
@@ -21,7 +21,7 @@ setup() {
 		skip "Test skipped as KBS not setup"
 	fi
 
-	setup_common
+	setup_common || die "setup_common failed"
 	get_pod_config_dir
 
 	export K8S_TEST_ENV_YAML="${pod_config_dir}/pod-sealed-secret.yaml"

From 175ebfec7cc9a28888629112181956926bafacdd Mon Sep 17 00:00:00 2001
From: stevenhorsman <steven@uk.ibm.com>
Date: Mon, 4 Nov 2024 09:59:37 +0000
Subject: [PATCH 3/3] Revert "k8s:kbs: Add trap statement to clean up tmp
 files"

This reverts commit 973b8a1d8fa6d3328d699e1b84af5d4e6e018b1c.

As @danmihai1 points out https://github.com/bats-core/bats-core/issues/364
states that using traps in bats is error prone, so this could be the cause
of the confidential test instability we've been seeing, like it was
in the static checks, so let's try and revert this.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
---
 tests/integration/kubernetes/confidential_kbs.sh | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh
index e8685d2dd9..ec9398cb62 100644
--- a/tests/integration/kubernetes/confidential_kbs.sh
+++ b/tests/integration/kubernetes/confidential_kbs.sh
@@ -85,13 +85,12 @@ kbs_set_resource_base64() {
 	fi
 
 	file=$(mktemp -t kbs-resource-XXXXX)
-	trap "rm -f $file" EXIT
-
 	echo "$data" | base64 -d > "$file"
 
 	kbs_set_resource_from_file "$repository" "$type" "$tag" "$file" || \
 		rc=$?
 
+	rm -f "$file"
 	return $rc
 }
 
@@ -117,12 +116,12 @@ kbs_set_resource() {
 	fi
 
 	file=$(mktemp -t kbs-resource-XXXXX)
-	trap "rm -f $file" EXIT
 	echo "$data" > "$file"
 
 	kbs_set_resource_from_file "$repository" "$type" "$tag" "$file" || \
 		rc=$?
 
+	rm -f "$file"
 	return $rc
 }